December 18, 2019

Secure Left: Security and SaaS Product Development in the New Reality

At Armor, we simplify security and compliance for SaaS providers, securing workloads in the cloud from intrusion, theft, and exposure.

“Shift Left” testing methodologies that emerged in the early 2000s helped SaaS developers address an important reality: waterfall approaches to development were unable to meet the demanding needs of accelerated technology and competition.

Today, SaaS companies move even faster. Testing cycles are automated early and often. The new reality of cloud computing is one with virtual instances and containers adding speed and complexity to the effort. It demands a reimagining of SaaS development with a "Secure Left" philosophy that integrates security earlier in the process. Taking security seriously will ensure both the success and viability of new software-as-a-service providers.

The Risk of Leaving Security Behind in an Increasingly Agile World

Almost 20 years after the Shift Left movement and the introduction of agile methodologies, SaaS companies move even faster with developer teams spinning up new iterations and configurations instantly, delivered through complex cloud services and a shared responsibility that requires multiple layers of protection.

Public cloud services like AWS and Azure protect the infrastructure itself, but the complexity of interconnectivity and competitive platform dynamics virtually ensures things will break with greater frequency. Therefore, SaaS companies need a broader perspective on the importance and impact of security. Without it, companies are putting themselves and their customers at risk, sometimes to devastating effect.

The More Critical Your Application, the Bigger the Target

Take, for example, a SaaS developing a simple application to track workouts. The DevOps team may not think such an app requires heavy lifting when it comes to security or compliance, only to find themselves sprinting for the exits when their first healthcare client is struck with ransomware due to bad code or an exposed Amazon S3 bucket. One Managed Service Provider to the dental industry infected over 400 locations this year—and all at once.

There is not a better lesson for SaaS providers: the more critical your application and the farther your reach, the more opportunity for your product to become a target. Often, the damage done can be substantial.

Security As Design

For SaaS businesses born of the cloud, a narrowed focus on rapid iteration and improvement of your applications without a wider perspective of the impact to security and compliance could leave your SaaS business exposed, over budget or even forced into bankruptcy due to a breach. Beyond the “test early and often” shift left methodologies, SaaS companies must now integrate security from the initial design stage, securing to the left the vital components to keep them in business.

Agile Methodologies in SaaS

Building software is a fundamentally difficult process with an array of moving parts and inter-dependencies. Initial waterfall models for development consisted of steps traditional project managers would recognize, organized into distinct phases and akin to a happy Keebler tree of assembly-line processes, milestones, and timelines. Unfortunately, this resulted in a great deal of work that, in many cases, never delivered a product to market.

Agile development methodologies evolved through the early release of evolving design and code, the daily build of code and fast turnaround of changes, and the need for deeply skilled teams. It proposed agile mechanisms that defined key software development qualities that were more important than others:

Individuals and interactions over processes and tools

Working software over comprehensive documentation

Customer collaboration over contract negotiation

Responding to change over following a plan

Integrating Security Into an Agile Process

In “Secure Left” methodologies, SaaS companies should add “Security as design over security as an add-on,” or perhaps “Security as primary objective over mere feature.” Only when this shift in the importance of security occurs will companies be able to keep up with threat actors, including internal ones.

In immunology, affinity maturation describes a process by which cells produce antibodies with increased affinity for antigens during the course of an immune response. With repeated exposures to the same antigen, a host will produce antibodies of successively greater affinities. This is a good metaphor for security in the “Secure Left” methodology. By introducing the antigen to cybercriminals early, your host team will produce ongoing and adaptive antibodies.

Secure Your Data With Armor Anywhere

Cyber Risk Management in the Cloud

Our product, Armor Anywhere, is purpose-built for the cloud and delivers cost-effective security and compliance protection for your workloads, no matter where they reside. ​

Securing Left Can Save Your SaaS Business Money

Notably, the "Secure Left" approach can result in significant cost savings, better quality control, increased speed to market, and improved business continuity. Teams can reduce the cost of reworks by putting security controls in place early, and they can match compliance frameworks at the design stage to reduce auditing costs and improve quality control.

Adding an Additional Layer of Protection to SaaS Applications in the Cloud

To reduce security threats, SaaS teams must begin with a design and development process that combines the Design, Development, Operations and Security teams, leveraging automation to simplify security and expedite deployment. By integrating the right security tools into the development lifecycle instead of bolting them on in a separate process, SaaS companies can add an additional layer of protection to their cloud applications and environments.

Securing Left elevates business-critical security requirements and allows teams to address cloud integration, misconfigurations, bugs, and other vulnerabilities before an application reaches production.

Integrate Security Early to Avoid Technical Debt

Failure to integrate security early on can create a creeping administrative and technical debt, or the catch-up debt developers incur when controls or specifications are deployed “after the fact.”

Eventually, over time, it can create a string of vulnerabilities that can stretch budgets and delivery timelines. On top of that, administrative or technical debt can accrue when DevOps teams turn on native cloud security controls without preemptively considering alert management and response tactics.

To avoid the cost of fixing things after-the-fact in software, investing in security is a strategic move in avoiding administrative debt. Additionally, when security is guided by a strategic hand, it can also help SaaS developers better understand the value of the application and highlight the necessity of securing critical data.

A New Call to Action for SaaS

Obviously, SaaS vendors must weigh the security functions they are willing to take on and how those decisions affect the ability to create new code. Striking a balance can minimize the cost of additional rework for these businesses.

Born-in-the-cloud SaaS startups may be wise to outsource their security functions to a third party who has the scale and expertise to protect their organization at a reasonable cost. Larger established SaaS companies with dedicated security teams already in place may be wise to leverage third-party tools for analysis and correlation.

What’s more, the secure left approach can add to your brand reputation, showcasing your security investment, and building confidence with investors, employees, vendors, and customers.

OpenKey, one of Armor's partners, has integrated our security solutions early in their product development. Security is vital for their product—digital locks on hotel rooms and dormitories. They feature a "Powered by Armor" logo on their website, proudly displaying how the emphasis on security has positively impacted their brand in the marketplace.

Understanding Security in an Increasingly Complex World

In the end, today’s SaaS developers should ask early how security outcomes will be accomplished in a hybrid and multi-cloud world, and what tools or skills will be required to get there. They should consider the risk of choosing a single vendor and the price of getting locked in. They should also understand the process for investigation of alerts and determine who and how the response will be handled.

To consider all of this late in the process is no longer wise or acceptable, adding cost and administrative debt. Armor provides solutions to these now earlier challenges at a fraction of the cost of doing it yourself. It's more economical than many of our competitors.

No More Excuses

If the old approach to software development is defined by “Shift Left,” the modern equivalent is, surely, to “Secure Left.” Technologies like virtual machines and containers make development cycles even faster. This makes efficiency and cost savings even easier to shift security and compliance to the left side of the development life cycle. There's no excuse for SaaS developers to not improve their security posture at every step.

Armor Anywhere is purpose-built for the cloud and delivers cost-effective security and compliance protection for your workloads, no matter where they reside.

Resource Center

More security resources at your fingertips.

Armor is a global cybersecurity software company. We simplify protecting data and applications in private, public, or hybrid clouds as well as help organizations comply with major regulatory frameworks and controls. We know security is complex; it doesn’t have to feel that way.